security and contributors.md (#3187)

* security and contributors.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

* Update README.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

* Update README.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

* Create CONTRIBUTING.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

* Update README.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

* Update README.md

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

---------

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>

Author: juliusvonkohout

CONTRIBUTING.md

@@ -0,0 +1 @@
+If you are a contributor please consult [Best Practices](https://kubectl.docs.kubernetes.io/references/kustomize/) and the [main README.md](./README.md)

README.md

@@ -23,7 +23,7 @@ You can also install the master branch of [`kubeflow/manifests`](https://github.
   - [Change Default User Password](#change-default-user-password)
 - [Upgrading and Extending](#upgrading-and-extending)
 - [Release Process](#release-process)
-- [CVE Scanning](#cve-scanning)
+- [Security](#security)
 - [Pre-commit Hooks](#pre-commit-hooks)
 - [Resource Usage by components](#resource-usage-by-components)
 - [Frequently Asked Questions](#frequently-asked-questions)
@@ -32,7 +32,11 @@ You can also install the master branch of [`kubeflow/manifests`](https://github.
 
 ## Overview of the Kubeflow Platform
 
-This repository is owned by the [Platform/Manifests Working Group](https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md). If you are a contributor authoring or editing the packages, please see [Best Practices](https://kubectl.docs.kubernetes.io/references/kustomize/). You can join the CNCF Slack and access our meetings at the [Kubeflow Community](https://www.kubeflow.org/docs/about/community/) website. Our channel on the CNCF Slack is [**#kubeflow-platform**](https://app.slack.com/client/T08PSQ7BQ/C073W572LA2). You can also find our [biweekly meetings](https://bit.ly/kf-wg-manifests-meet), including the commentable [Agenda](https://bit.ly/kf-wg-manifests-notes).
+- This repository is owned by the [Platform/Manifests/security Working Group](https://github.com/kubeflow/community/blob/master/wg-manifests/charter.md). 
+- You can join the CNCF Slack and access our meetings at the [Kubeflow Community](https://www.kubeflow.org/docs/about/community/) website.
+- Our channel on the CNCF Slack is [**#kubeflow-platform**](https://app.slack.com/client/T08PSQ7BQ/C073W572LA2). 
+- You can also find our [biweekly meetings](https://bit.ly/kf-wg-manifests-meet), including the commentable [Agenda](https://bit.ly/kf-wg-manifests-notes).
+- If you want to contribute, please take a look at the [CONTRIBUTING.md](CONTRIBUTING.md).
 
 The Kubeflow Manifests repository is organized under three main directories, which include manifests for installing:
 
@@ -666,18 +670,11 @@ context, all due to the `minAvailable` attribute:
 
 The Manifest Working Group releases Kubeflow based on the [release timeline](https://github.com/kubeflow/community/blob/master/releases/handbook.md#timeline). The community and the release team work closely with the Manifest Working Group to define the specific dates at the start of the [release cycle](https://github.com/kubeflow/community/blob/master/releases/handbook.md#releasing) and follow the [release versioning policy](https://github.com/kubeflow/community/blob/master/releases/handbook.md#versioning-policy), as defined in the [Kubeflow release handbook](https://github.com/kubeflow/community/blob/master/releases/handbook.md).
 
-## CVE Scanning
+### Security
 
 To view all past security scans, head to the [Image Extracting and Security Scanning GitHub Action workflow](https://github.com/kubeflow/manifests/actions/workflows/trivy.yaml). In the logs of the workflow, you can expand the `Run image extracting and security scanning script` step to view the CVE logs. You will find a per-image CVE scan and a JSON dump of per-WorkingGroup aggregated metrics. You can run the Python script from the workflow file locally on your machine to obtain the detailed JSON files for any git commit.
 
-The Kubeflow security working group follows a responsible disclosure policy for CVE results:
-
-- **Internal Review**: All CVE findings are initially reviewed internally by the security working group.
-- **Severity Assessment**: Each CVE is assessed for severity and potential impact on the Kubeflow project.
-- **Disclosure**: For high and critical severity CVEs, the security working group will:
-  - Notify the maintainers and contributors.
-  - Try to provide a fix or mitigation strategy.
-  - Publicly disclose the CVE details.
+For more infromation please consult the [SECURITY.md](./SECURITY.md).
 
 ## Pre-commit Hooks
 

SECURITY.md

@@ -0,0 +1,64 @@
+# Security Policy
+
+## Supported Versions
+
+Kubeflow Pipelines versions are expressed as `X.Y.Z`, where X is the major version,
+Y is the minor version, and Z is the patch version, following the
+[Semantic Versioning](https://semver.org/) terminology.
+
+The Kubeflow Pipelines project maintains release branches for the most recent two minor releases.
+Applicable fixes, including security fixes, may be backported to those two release branches,
+depending on severity and feasibility.
+
+Users are encouraged to stay updated with the latest releases to benefit from security patches and
+improvements.
+
+## Reporting a Vulnerability
+
+We're extremely grateful for security researchers and users that report vulnerabilities to the
+Kubeflow Open Source Community. All reports are thoroughly investigated by Kubeflow projects owners.
+
+You can use the following ways to report security vulnerabilities privately:
+
+- Using the Kubeflow Platform repository [GitHub Security Advisory](https://github.com/kubeflow/manifests/security/advisories/new).
+- Using our private Kubeflow Steering Committee mailing list: ksc@kubeflow.org.
+
+Please provide detailed information to help us understand and address the issue promptly.
+
+## Disclosure Process
+
+**Acknowledgment**: We will acknowledge receipt of your report within 10 business days.
+
+**Assessment**: The Kubeflow projects owners will investigate the reported issue to determine its
+validity and severity.
+
+**Resolution**: If the issue is confirmed, we will work on a fix and prepare a release.
+
+**Notification**: Once a fix is available, we will notify the reporter and coordinate a public
+disclosure.
+
+**Public Disclosure**: Details of the vulnerability and the fix will be published in the project's
+release notes and communicated through appropriate channels.
+
+## Prevention Mechanisms
+
+Kubeflow Pipelines employs several measures to prevent security issues:
+
+**Code Reviews**: All code changes are reviewed by maintainers to ensure code quality and security.
+
+**Dependency Management**: Regular updates and monitoring of dependencies (e.g. Dependabot) to
+address known vulnerabilities.
+
+**Continuous Integration**: Automated testing and security checks are integrated into the CI/CD pipeline.
+
+**Image Scanning**: Container images are scanned for vulnerabilities.
+
+## Communication Channels
+
+For the general questions please join the following resources:
+
+- Kubeflow [Slack channels](https://www.kubeflow.org/docs/about/community/#kubeflow-slack-channels).
+
+- Kubeflow discuss [mailing list](https://www.kubeflow.org/docs/about/community/#kubeflow-mailing-list).
+
+Please **do not report** security vulnerabilities through public channels.